As far as I can tell, the javascript uses complex encoding but is not malware. These javascript elements are widely used on the web. As far as I can tell, they are not harmful in any way and this is a mis-identification by eTrust / Vet.
The signature that has the problem is 31.3.5417 dated 31/12/07
Some of the Javascript files that seem to trigger an alert are named:
- jquery.js
- mootools.js
- ifx.js
- show_ads.js
- relevancead.js
- submodal.js
- iutil.js
- ifxslide.js
If you're running Internet Explorer, then you may see an alert for an individual .js file as above, in a Mozilla-based browser (such as Seamonkey or Firefox) you may get a virus alert for a file named something similar to C:\Documents and Settings\USERNAME\Application Data\Mozilla\Profiles\Default\xxxxxxxx.SLT\CACHE\xxxxxxxxxxx
Usually, these false positives are fixed by CA pretty quickly. For most people this should just be a temporary nuisance that will be fixed with the latest virus update.
You can submit suspect files to CA here for analysis, that may well help them to fix the problem.
Follow up: this problem has now been fixed. It turns out that the javascript had been compressed using this packer tool which itself is harmless, but it does appear that the packer has been used for malicious javascript applications in the past as well as legitimate ones. Perhaps the lesson is.. don't pack or obfuscate your javascript!
I have had this a couple of times this morning. Hopefully CA will resolve shortly!
ReplyDeletethank you very much for this summary of the issue. Quite hard to gather information today - it seems that most of the it-guys are already out for party...
ReplyDeleteFunny... nothing like coming in to work in the morning, sipping a fresh cup of coffee and all of a sudden get these rash of pop-ups stating "The JS/Snz.A was detected in blah blah blah". I didn't need my coffee to wake me up today! :-)
ReplyDeleteThanks for posting this information. Cheers everyone and happy new year!
Yea same it ust started this morning i was wondering what it is
ReplyDeleteThanks for posting this! We compress Coolmenus406.js and mootips.js, both showed as "infected" by CA Enterprise Anti-Virus. Yet I'm sure they're not.
ReplyDeleteand yes happy new year and party hard
ReplyDeleteImmediately following an update for my CA security software, I received eight notices of an infection: JS/SNZ.A
ReplyDeleteI also received 28 alerts this morning. All files have been deleted by ZoneAlarm.
ReplyDeleteAt the same time I received these alerts I also received a lot of warning messages from 'Poker Academy Pro 2'.
Yup, I'm a sysadmin for a decent size network and this morning my inbox greeted me with 283 new infection notifications! I hope CA fixes this by wednesday before people actually come back to work and really start using their machines again!
ReplyDeleteI had four of these alerts this morning, too: I found the tip really helpful, so thanks.
ReplyDeleteInteresting to note that when I clicked on the link for JS/Snz.A in the CA Anti-Virus alert message box, I got a "no search results found" from the CA website! I got even more concerned when I couldn't Google it, either...
I've contacted ca but have yet to get a response.
I agree with tim: you don't need caffeine to get you going when this sort of thing happens!!
Let's hope CA sort this soon.
Thank you for the timely entry. Most users are just getting to work in AZ. I've been here a while and just now started to get a couple of these.
ReplyDeleteI dont want to be a pain, but the times posted on your comments are for this afternoon, it is now 09:19 am here in IA.
ReplyDeleteThanks a lot! I'm seeing this all over the place this morning.
ReplyDeleteYou may want to add Dean Edwards' compliance patch for Microsoft browsers ie7-standard-p.js.
ReplyDeletestewart expressed my situation well, and thanks for posting the link to let ca know.
ReplyDeleteWe use Etrust ITM on about 500 computers here at work. we have talked to CA and they confirm it is a false positive. They are hoping to have a update out by 2pm est.
ReplyDeleteLooks like I may not even be able to finish testing my new site (which uses jquery) until this update comes in. On IE, the file is stripped, so none of the stuff I'm testing will work.
ReplyDeleteSame here ... over 100 PCs.
ReplyDeleteA temporary fix, not secure !!!, was to Disable Realtime ...
Thanks Eric, that is nice to know. This could be good or bad for CA with the publicity they will be getting today. This year I was just getting comfortable with CA Internet Security Suite after using it a few years ago and dropped it because it was too slow and not catching all the bad guys. Since I have installed it again the beginning of last year, I have had no problems until now. Would you know it would be internal. IE does it all the time. :)
ReplyDeleteI just spoke to CA and this is indeed a false positive. They hope to have a new signature for download to correct the problem in the afternoon of 31 December.
ReplyDeleteOpened a ticket with CA earlier today and they have now posted a signature update (31.3.5419) which includes a bug fix for this (Js/snz.a) false positive.
ReplyDeletedownload the signature update and you should be good to go.
Tom
Thanks for this information! The funky thing is, clicking INFO in CA produces a page of theirs that says no results. DUH.
ReplyDeletePeace
It seems a script inside the WOT.jar archive (/skin/include/mooscript.js) also "contains this trojan". This crashed my WOT add-on in Firefox today (www.mywot.com). With the latest update (vet engine .5419) the problem indeed disappears.
ReplyDeleteLet the party start and the best in 08.
I used to work heavily with eTrust AV. Just shortly into 2008 (yes, it already is, here in NZ) I got this false positive. I like to think of it as eTrust's way of wishing me a Happy New Year ;)
ReplyDeleteThanks for the info, I have been having problems all day. it also seems to be restricting access to certain web pages. Hopefully CA will fix quickly!
ReplyDeleteApparently CA has fixed this false positive recently. Updated and issue was resolved.
ReplyDeleteGH
I think it fixed the problem on our end as well. our systems in the office that got pushed the new update are no longer testing positive. we still are getting some alert emails trickling in, but it takes some time for all of our workstations to get the update. if we are still getting alerts on 2nd i will worry
ReplyDeleteMy CA showed it yesterday morning too!
ReplyDeleteMy CA showed it yesterday too and deleted it!
ReplyDelete